<html>
<head><meta charset="utf-8"><title>Field access wrap around possible? (offset_from safety reqs) · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html">Field access wrap around possible? (offset_from safety reqs)</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="228695562"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228695562" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228695562">(Mar 04 2021 at 00:41)</a>:</h4>
<p>Lets say I have a struct on the stack. I get a pointer to it, and a pointer to its field. I then use <code>ptr::offset_from</code> to compute the difference between them after casting both to bytes (yes, this is essentially an <code>offset_of</code>)</p>
<p>Is this always sound? Almost all the safety requirements in <a href="https://doc.rust-lang.org/nightly/std/primitive.pointer.html#method.offset_from">https://doc.rust-lang.org/nightly/std/primitive.pointer.html#method.offset_from</a> are easy to prove, the tricky ones are:</p>
<ul>
<li>The distance between the pointers, in bytes, cannot overflow an isize.</li>
<li>The distance being in bounds cannot rely on “wrapping around” the address space.</li>
</ul>
<p>I don't know if this is guaranteed for this case. In practice it is obviously always true for values on the stack (well, perhaps not during CTFE? ... Not sure). Additionally, I believe the compiler relies on this when it emits llvm gepi for struct field access (although maybe it won't do that in some cases or something, IDK).</p>
<p>That said, I couldn't find anything that actually guaranteed this, so I turn to y'all.</p>



<a name="228696173"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228696173" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228696173">(Mar 04 2021 at 00:48)</a>:</h4>
<p>Concretely, something like</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="c1">// Note: `SomeType` is not a reference or a pointer,</span>
<span class="c1">// and doesn't impl Deref. (We aren't talking about</span>
<span class="c1">// those cases).</span>
<span class="kd">let</span><span class="w"> </span><span class="n">some_object</span>: <span class="nc">SomeType</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">whatever</span><span class="p">;</span><span class="w"></span>
<span class="kd">let</span><span class="w"> </span><span class="n">ptr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">&amp;</span><span class="n">some_object</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="n">_</span><span class="p">;</span><span class="w"></span>
<span class="kd">let</span><span class="w"> </span><span class="n">field_ptr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="o">&amp;</span><span class="n">some_object</span><span class="p">.</span><span class="n">field</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="n">_</span><span class="p">;</span><span class="w"></span>
<span class="k">unsafe</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="p">(</span><span class="n">field_ptr</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="kt">u8</span><span class="p">).</span><span class="n">offset_from</span><span class="p">(</span><span class="n">ptr</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="kt">u8</span><span class="p">)</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="kt">usize</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>Lets ignore that I can use integer arithmetic here, it's not relevant to the question (also it doesn't work in const, whereas ptr::offset_from can be used in const with <code>#![feature(const_offset_from)]</code> (and a few others))</p>



<a name="228717568"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228717568" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228717568">(Mar 04 2021 at 05:00)</a>:</h4>
<p>Hmm, looking around I found: <a href="https://github.com/Gilnaa/memoffset/blob/master/src/offset_of.rs#L56">https://github.com/Gilnaa/memoffset/blob/master/src/offset_of.rs#L56</a>. This is unsound (even with addr_of) if wrapping is possible there. (in what's likely a purely theoretical way)</p>
<p>Git blame blames <span class="user-mention" data-user-id="120791">@RalfJ</span> for that line, which is encouraging to me for this being fine</p>



<a name="228719176"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228719176" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228719176">(Mar 04 2021 at 05:18)</a>:</h4>
<p>Doesn't this macro just inherit the same safety requirements as <code>offset_from</code> itself?</p>



<a name="228719501"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228719501" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228719501">(Mar 04 2021 at 05:22)</a>:</h4>
<p>you have to kinda go up a few levels to see how it's used, sorry</p>



<a name="228719557"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228719557" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228719557">(Mar 04 2021 at 05:23)</a>:</h4>
<p>just on its own, yes, but in context it's relying on base and field not being able to wrap for soundness. note that <code>offset_of!</code> is a safe macro</p>



<a name="228720850"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228720850" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228720850">(Mar 04 2021 at 05:40)</a>:</h4>
<p>from the naming I assume these are <code>&amp;x</code> and <code>&amp;x.field</code> for some struct <code>x</code>. AFAIK memory allocators don't produce or permit wrapping allocations</p>



<a name="228732492"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228732492" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228732492">(Mar 04 2021 at 08:15)</a>:</h4>
<p><span class="user-mention silent" data-user-id="209168">Thom Chiovoloni</span> <a href="#narrow/stream/136281-t-lang.2Fwg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs)/near/228717568">said</a>:</p>
<blockquote>
<p>Hmm, looking around I found: <a href="https://github.com/Gilnaa/memoffset/blob/master/src/offset_of.rs#L56">https://github.com/Gilnaa/memoffset/blob/master/src/offset_of.rs#L56</a>. This is unsound (even with addr_of) if wrapping is possible there. (in what's likely a purely theoretical way)</p>
<p>Git blame blames <span class="user-mention silent" data-user-id="120791">RalfJ</span> for that line, which is encouraging to me for this being fine</p>
</blockquote>
<p>wrapping is impossible when the ptr is actually dereferencable for the full size -- right?</p>



<a name="228732662"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228732662" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228732662">(Mar 04 2021 at 08:16)</a>:</h4>
<blockquote>
<p>AFAIK memory allocators don't produce or permit wrapping allocations</p>
</blockquote>
<p>Indeed. And furthermore, at least with the LLVM backend, memory allocations also can never be larger than <code>isize::MAX</code>.</p>



<a name="228732933"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228732933" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228732933">(Mar 04 2021 at 08:19)</a>:</h4>
<blockquote>
<p>wrapping is impossible when the ptr is actually dereferencable for the full size -- right?</p>
</blockquote>
<p>Hm, right, yes, that makes sense. Sold!</p>



<a name="228733714"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228733714" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228733714">(Mar 04 2021 at 08:25)</a>:</h4>
<p>One could actually remove some of these clauses in the offset_from docs I think</p>



<a name="228733757"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228733757" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228733757">(Mar 04 2021 at 08:25)</a>:</h4>
<p>this</p>
<blockquote>
<p>Both the starting and other pointer must be either in bounds or one byte past the end of the same allocated object.</p>
</blockquote>
<p>implies both</p>
<blockquote>
<p>The distance between the pointers, in bytes, cannot overflow an isize.</p>
</blockquote>
<p>and </p>
<blockquote>
<p>The distance being in bounds cannot rely on “wrapping around” the address space.</p>
</blockquote>



<a name="228733942"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228733942" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228733942">(Mar 04 2021 at 08:27)</a>:</h4>
<p>hm I guess the text after the list discusses this. but it makes it sound like one couldnt rely on this, whereas in practice on kind of has to.</p>



<a name="228734085"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228734085" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228734085">(Mar 04 2021 at 08:28)</a>:</h4>
<blockquote>
<p>However, some 32-bit and 16-bit platforms may successfully serve a request for more than isize::MAX bytes with things like Physical Address Extension. As such, memory acquired directly from allocators or memory mapped files may be too large to handle with this function.</p>
</blockquote>
<p>The thing is, not just offset_from breaks for such objects. Even <code>add</code> becomes wrong for such objects; it casts <code>usize</code> to <code>isize</code> and then calls <code>offset</code> and that would be wrong if there was an overflow.</p>



<a name="228734119"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228734119" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228734119">(Mar 04 2021 at 08:29)</a>:</h4>
<p>ah I guess <code>add</code> says that</p>
<blockquote>
<p>The computed offset, in bytes, cannot overflow an isize.</p>
</blockquote>



<a name="228734516"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228734516" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228734516">(Mar 04 2021 at 08:32)</a>:</h4>
<p>Yeah, the fact that those were listed separately from the overflow/wraparound case made me think there was some situation I was missing, which is why I added this topic. It would be nice to clarify this in those docs somehow.</p>



<a name="228735305"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228735305" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228735305">(Mar 04 2021 at 08:39)</a>:</h4>
<p>LLVM kind of assumes allocations are never bigger than isize so I am not entirely sure if what the docs say even makes sense here</p>



<a name="228735387"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228735387" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228735387">(Mar 04 2021 at 08:40)</a>:</h4>
<p>I guess it "works in practice" since LLVM doesnt notice that your allocation is so big, if you are really careful with your offsets</p>



<a name="228735710"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228735710" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> hyd-dev <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228735710">(Mar 04 2021 at 08:43)</a>:</h4>
<p>With regard to <a href="https://github.com/Gilnaa/memoffset/blob/91114005f0a5f5f20e90203426ab97c0c241cf04/src/offset_of.rs#L52">https://github.com/Gilnaa/memoffset/blob/91114005f0a5f5f20e90203426ab97c0c241cf04/src/offset_of.rs#L52</a>, <code>_memoffset_offset_from</code> is a <code>#[macro_export]</code> <em>safe</em> macro that wraps the <em>unsafe</em> <code>offset_from</code> without checking anything?<br>
That looks scary, even it's a "private" macro prefixed with <code>_</code>, since nothing can prevent people from abusing it:<br>
<a href="https://play.rust-lang.org/?version=nightly&amp;mode=debug&amp;edition=2018&amp;gist=69b3863fd3f61338eca35367133ab313">https://play.rust-lang.org/?version=nightly&amp;mode=debug&amp;edition=2018&amp;gist=69b3863fd3f61338eca35367133ab313</a></p>



<a name="228735786"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228735786" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228735786">(Mar 04 2021 at 08:43)</a>:</h4>
<p><span class="user-mention" data-user-id="374396">@hyd-dev</span> yeah, but Rust doesnt have private macros so there's not much we can do about this<br>
EDIT: Or rather, it doesnt have enough hygiene such that public macros can use private macros.</p>



<a name="228735824"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228735824" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228735824">(Mar 04 2021 at 08:44)</a>:</h4>
<p>FWIW, I think this is common for macro-using crates -- many of them have "private" <code>pub</code> modules full of stuff that users must never use</p>



<a name="228736203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228736203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228736203">(Mar 04 2021 at 08:47)</a>:</h4>
<p>also, I dont know what you mean by "safe macro", there is no such thing as "(un)safe macros"</p>



<a name="228736306"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228736306" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> hyd-dev <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228736306">(Mar 04 2021 at 08:48)</a>:</h4>
<p>I mean maybe the macro can be made to require to be used in an <code>unsafe</code> block? (Sorry for not being clear.)</p>



<a name="228736392"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228736392" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> hyd-dev <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228736392">(Mar 04 2021 at 08:49)</a>:</h4>
<p>That is,</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="fm">macro_rules!</span><span class="w"> </span><span class="n">_memoffset_offset_from</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="p">(</span><span class="cp">$field</span>:<span class="nc">expr</span><span class="p">,</span><span class="w"> </span><span class="cp">$base</span>:<span class="nc">expr</span><span class="p">)</span><span class="w"> </span><span class="o">=&gt;</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">        </span><span class="c1">// Compute offset, with unstable `offset_from` for const-compatibility.</span>
<span class="w">        </span><span class="c1">// (Requires the pointers to not dangle, but we already need that for `raw_field!` anyway.)</span>
<span class="w">        </span><span class="p">(</span><span class="cp">$field</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="kt">u8</span><span class="p">).</span><span class="n">offset_from</span><span class="p">(</span><span class="cp">$base</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="kt">u8</span><span class="p">)</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="kt">usize</span><span class="w"></span>
<span class="w">    </span><span class="p">};</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>



<a name="228736575"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228736575" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> hyd-dev <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228736575">(Mar 04 2021 at 08:51)</a>:</h4>
<p><a href="https://play.rust-lang.org/?version=nightly&amp;mode=debug&amp;edition=2018&amp;gist=09cba7848689696923b872083ce25409">https://play.rust-lang.org/?version=nightly&amp;mode=debug&amp;edition=2018&amp;gist=09cba7848689696923b872083ce25409</a></p>



<a name="228737262"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228737262" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228737262">(Mar 04 2021 at 08:58)</a>:</h4>
<p>And then we'll get <code>unused_unsafe</code> warnings when the other version of the macro is used due to <code>offset_from</code> not being available</p>



<a name="228737330"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228737330" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228737330">(Mar 04 2021 at 08:59)</a>:</h4>
<p>I'd be okay renaming the macro to include the word <code>unsafe</code>, that seems rather low-risk, but beyond that I dont think it is worth defending against people that go out of their way to break things by using private undocumented APIs</p>



<a name="228750223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field%20access%20wrap%20around%20possible%3F%20%28offset_from%20safety%20reqs%29/near/228750223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Field.20access.20wrap.20around.20possible.3F.20(offset_from.20safety.20reqs).html#228750223">(Mar 04 2021 at 10:44)</a>:</h4>
<p>You can always force a macro to be unsafe with something like <code>if false { std::hint::unreachable_unchecked() }; actual_macro_code</code></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>